The are many reasons why someone might want to detect if users are accessing their site via a proxy. For one, all spammers use proxies. Proxies can also be used to cheat voting systems, create multiple accounts when only one account is allowed or make it appear like the user is browsing from a different country. On the other hand, there are also legitimate uses for proxies. For example, many ISPs route all their traffic though a proxy.

Today I’ll discuss several techniques you can use to detect if your site is being accessed through a proxy.

Checking HTTP Headers

Transparent and low-anonymity proxies add certain HTTP headers to each HTTP request. Checking for the presence of these headers is the simplest way to detect a proxy. Example PHP code fragment :

Some have suggested that comparing the remote port ($_SERVER[‘REMOTE_PORT’]) to common proxy ports could also be used for proxy detection. I haven’t tested this, but it seems unlikely. As far as I know, servers listen for inbound connections on one set of ports and perform outbound connections from different port numbers (often randomly selected). So if the proxy server is running (waiting for inbound connections) on port 8080, it would use a different port number for retrieving your page (this being an outbound connection).

Highly anonymous proxies don’t add the abovementioned headers and can’t be detected with this technique.

Port scan

Another way to detect a proxy is to scan commonly used proxy ports on the client’s IP. If any of the ports are open, that host is probably a proxy. Here’s a primitive port scanner :

Keep in mind that legitimate users may view port scanning as highly suspicious. If you decide to do this, make sure you save the results somewhere so you don’t need to do it again for that user. Store the IP status (proxy or not) in a database, or at least set a cookie.

Open Proxy Blacklists

There are many sites that maintain blacklists of open proxies and open SMTP relays. The Wikipedia entry on DNSBL goes into some detail on this and also lists several such blacklists (e.g. SORBS and DSBL).

You can query these blacklists using the DNS protocol. For example, if you want to check the IP address 1.2.3.4 on DSBL.org, do a DNS lookup for 4.3.2.1.list.dsbl.org. If the lookup succeeds, the IP was found in the list. The exact hostnames vary by blacklist provider. To perform a DNS lookup in PHP, use the gethostbyname() function.

Here’s a more complete example with source code – blacklist lookups in PHP.

In conclusion

There are other tricks I didn’t mention above, like using cookies or Java applets, but they are less reliable and rely on client-side features. That might be fine if you just want to ensure your human visitors aren’t skewing poll results (or something) by using proxies, but client-side techniques wouldn’t work against most automated spam bots and other malware.

Overall, there is no way to be 100% sure whether someone is using a proxy server to access your site, but the methods described in this post can help you identify a large percentage of proxy connections.

Ah, I forgot to mention the various CGI proxies that are marketed as “MySpace/Facebook/whatever unblockers”. Well, if they’re not in one of the blacklists, you’ll need to write a script (JavaSript) that checks if the domain name of the current page matches your site’s domain name. If it doesn’t, use some advanced framebreaker JavaScript to get your site out of their frames. Google it.

However, be aware that using a frame breaker would also make your website break out of Google Image Search frames and so on. Also, CGI proxies process you HTML code and can remove your frame breaking script – that’s why I said it needs to be advanced.

17 Responses to “Detect Users Accessing Your Site Via a Proxy”

i was thinking… if the user is under a shared connection? what to do
to avoid showing “you are under proxy!” or this does let the users pass
through a shared connection? (like that: USER>>SERVER>>ROUTER>>INTERNET)
also, how to detect if the user is under a common proxy, like a proxy
from work? different from a malicious/free/open proxy? thanks.

Blacklists could help with that – I’m pretty sure normal company proxies don’t get blacklisted, but malicious proxies do/should. I think other heuristics I mentioned in this post (e.g. checking headers) can’t be used to make this distinction.

For that past three months, I’ve been waiting for that DVD edition on the Frasier series. I’m even now fourth in line at my local library to receive these so I was incredibly excited to learn that I can Cant Filter Me.. My plan was to watch the DVDs within the train whilst commuting to and from perform so I’m hoping I have World wide web access through the tunnels and stations on my route. My wife laughs about my obsession with this, but she is hooked on particular Television exhibits herself. I’m wondering if I should tell her that she can watch her exhibits online also.

[…] a privacy policy? Do I even need a warning? I'm also going to block proxies as another deterrent. (I.E. checking HTTP headers and a quick portscan via this tutorial, I'm worried the portscan may load my web server down. (What I'd LOVE to do is have a cookie set […]

I have been browsing online more than 3 hours today, yet I never found any interesting article like yours.
It is pretty worth enough for me. In my opinion,
if all web owners and bloggers made good content as you did, the internet will be much
more useful than ever before.

I beloved as much as you will obtain carried out right here. The comic strip is attractive, your authored subject matter stylish. nonetheless, you command get bought an edginess over that you would like be delivering the following. in poor health for sure come further formerly again since precisely the similar just about very ceaselessly inside case you defend this hike.

Search

This site uses cookies to improve your experience, to personalize ads and to analyze traffic. It also shares information about your use of this site with social media, advertising and analytics partners. By using this site, you agree to its use of cookies. AcceptSee Details